`coreos-boot-edit.sh` creates `/boot/.root_uuid` as `unlabeled_t` #1770

travier · 2024-07-31T10:39:27Z

Describe the bug

https://github.com/coreos/fedora-coreos-config/blob/testing-devel/overlay.d/05core/usr/lib/dracut/modules.d/35coreos-ignition/coreos-boot-edit.sh likely runs before we've loaded the SELinux policy and writes /boot/.root_uuid which ends up not being labeled (unlabeled_t).

Reproduction steps

Boot FCOS. Run:

ls -alhZ /boot

Expected behavior

All files are correctly labeled.

Actual behavior

/boot/.root_uuid is unlabeled_t.

System details

N/A

Butane or Ignition config

None

Additional information

No response

The text was updated successfully, but these errors were encountered:

jlebon · 2024-08-06T20:29:34Z

A coreos-relabel would fix it for new systems, but I think that'd require changing coreos-boot-edit to actually do the temporary boot mount under /sysroot/boot instead of /mnt/boot_partition so the expected path lines up. (Though there's a bit of a layering violation in that the script would have to know that rdcore bind-boot writes that file; rdcore could itself call coreos-relabel instead, but that command so far hasn't really escaped this repo.)

We should probably fix it on existing systems, but it doesn't seem worth a barrier. We could bundle it in whatever the next barrier release we do.

dustymabe · 2024-09-05T19:58:06Z

We should probably fix it on existing systems, but it doesn't seem worth a barrier. We could bundle it in whatever the next barrier release we do.

@jbtrystram is working on a migration script to fixup labels on systems for #1771 and various other issues so we can fix these too.

We kind of need all of these root causes of the unlabeled files fixed too before we can release the migration script (i.e. freshly installed systems at a certain point should have no unlabeled_t once installed).

What's the proper fix for this root cause?

The `rdcore bind-boot` command write files to the bootfs but currently doesn't relabel them. Let's just relabel it from this side for now. In the future we could look at having `rdcore` call `setfiles` like Ignition does, or better, make `coreos-relabel` a more public API. This fixes coreos/fedora-coreos-tracker#1770 for new installs. Refrained from adding tests for this. I think instead what we need is once all these relabeling issues are fixed, a test that verifies that *everything* is labeled.

jlebon · 2024-09-10T14:08:12Z

Opened coreos/fedora-coreos-config#3155 for this.

jlebon · 2024-09-10T18:20:12Z

coreos/fedora-coreos-config#3155 only fixed the new installs case. We should still fix it on existing installs.

/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]>

/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]> (cherry picked from commit 2e355fd)

dustymabe · 2024-09-30T12:51:46Z

coreos/fedora-coreos-config@8d75174 fixes this for upgrading systems too.

/boot/efi and /sysroot dir and subfiles are unlabeled_t since 40.20240504.3.0. This is likely due to some missing scaffolding in the OSBuild software and definitions that we started using in [1]. These issues [2] [3] were addressed in [4] for new image builds, but we still need to fix upgrading systems, which we do here in this migration script. Note that we also fix a few files in /boot that were left unlabeled by `rdcore` [5] while we are in here. [1] coreos/fedora-coreos-tracker#1653. [2] coreos/fedora-coreos-tracker#1771 [3] coreos/fedora-coreos-tracker#1772 [4] coreos/coreos-assembler#3885 [5] coreos/fedora-coreos-tracker#1770 Co-authored-by: Dusty Mabe <[email protected]> (cherry picked from commit 2e355fd)

dustymabe · 2024-10-18T20:42:32Z

The fix for this went into next stream release 41.20241006.1.1. Please try out the new release and report issues.

dustymabe · 2024-10-18T20:42:38Z

The fix for this went into testing stream release 40.20241006.2.1. Please try out the new release and report issues.

dustymabe · 2024-10-28T19:47:19Z

The fix for this went into stable stream release 40.20241006.3.0.

travier added kind/bug area/selinux labels Jul 31, 2024

travier mentioned this issue Jul 31, 2024

tracker: Fedora 41 changes considerations #1714

Open

jlebon mentioned this issue Sep 10, 2024

coreos-boot-edit: relabel rdcore files coreos/fedora-coreos-config#3155

Merged

dustymabe assigned jlebon Sep 10, 2024

dustymabe added the jira for syncing to jira label Sep 10, 2024

jlebon closed this as completed in coreos/fedora-coreos-config@e183044 Sep 10, 2024

jlebon closed this as completed in coreos/fedora-coreos-config#3155 Sep 10, 2024

jlebon reopened this Sep 10, 2024

dustymabe mentioned this issue Sep 28, 2024

[rhcos-4.16] overlay.d: add 07fix-selinux-labels overlay coreos/fedora-coreos-config#3185

Merged

dustymabe added status/pending-testing-release Fixed upstream. Waiting on a testing release. status/pending-next-release Fixed upstream. Waiting on a next release. labels Sep 30, 2024

dustymabe closed this as completed Sep 30, 2024

dustymabe mentioned this issue Sep 30, 2024

[rhcos-4.17] overlay.d: add 07fix-selinux-labels overlay coreos/fedora-coreos-config#3186

Merged

dustymabe added status/pending-stable-release Fixed upstream and in testing. Waiting on stable release. and removed status/pending-testing-release Fixed upstream. Waiting on a testing release. status/pending-next-release Fixed upstream. Waiting on a next release. labels Oct 18, 2024

dustymabe removed the status/pending-stable-release Fixed upstream and in testing. Waiting on stable release. label Oct 28, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`coreos-boot-edit.sh` creates `/boot/.root_uuid` as `unlabeled_t` #1770

`coreos-boot-edit.sh` creates `/boot/.root_uuid` as `unlabeled_t` #1770

travier commented Jul 31, 2024 •

edited

Loading

jlebon commented Aug 6, 2024

dustymabe commented Sep 5, 2024

jlebon commented Sep 10, 2024

jlebon commented Sep 10, 2024

dustymabe commented Sep 30, 2024

dustymabe commented Oct 18, 2024

dustymabe commented Oct 18, 2024

dustymabe commented Oct 28, 2024

coreos-boot-edit.sh creates /boot/.root_uuid as unlabeled_t #1770

coreos-boot-edit.sh creates /boot/.root_uuid as unlabeled_t #1770

Comments

travier commented Jul 31, 2024 • edited Loading

Describe the bug

Reproduction steps

Expected behavior

Actual behavior

System details

Butane or Ignition config

Additional information

jlebon commented Aug 6, 2024

dustymabe commented Sep 5, 2024

jlebon commented Sep 10, 2024

jlebon commented Sep 10, 2024

dustymabe commented Sep 30, 2024

dustymabe commented Oct 18, 2024

dustymabe commented Oct 18, 2024

dustymabe commented Oct 28, 2024

`coreos-boot-edit.sh` creates `/boot/.root_uuid` as `unlabeled_t` #1770

`coreos-boot-edit.sh` creates `/boot/.root_uuid` as `unlabeled_t` #1770

travier commented Jul 31, 2024 •

edited

Loading